Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Connect: Filtering out local AD users not working

Deleted
Not applicable

Hello,

 

we have users in local AD that could be absent for a while and we have to disable their local AD accouns for compliance reasons.

 

Now, due to an active Azure AD sync this will also delete their account in Azure AD / Office 365. I found a neat guide how to exclude users from the AD -> AAD sync by setting a value in a free extensionAttribute and configuring a synchronization rule to set the property "cloudFiltered" to true.

 

This is all explained in this guide https://www.checkyourlogs.net/?p=66483

 

However, when testing it, as soon as I set the extension attribute and perform a delta import, and delta sync on the AD connector in the AAD Synchronization Service it will attempt to completeley delete the persons cloud object. I found out that this is because the "ms-DS-ConsistencyGUID"'s value is removed. I can't figure out why that synchronization rules causes this to occurr. I verified that it must be this rule since I can change any other attribute of the person object and it will update properly. Only when I populate the extensionAttribute configured in the sync rule will the rmoval of the "ms-DS-ConsistencyGUID"'s value be triggered.

 

Any ideas?

 

Thanks.

9 Replies
Disabling the account won't stop the sync by default.

Do you also change the OU of the account?

@Thijs Lecomte Well, no. We simply disable the AD account. And with this sync rule I was hoping that the deletion would not be replicated to AAD removing the account there since this will trigger the deletion of the user's OneDrive which is what we want to avoid when we know that the user will return after a couple of months.

best response
Solution

@Deleted 

 

The regular AD Connect flow is as follows:

- Disable account in AD

- Account gets disabled in AAD, like below:

clipboard_image_0.png

If it's disabled, the Onedrive will still exist

 

Only if you delete the account, will the account be deleted in AzureAD.

 

If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.

 

Just to confirm what Thijs said - disabling the account in AD should NOT result in deletion of the corresponding Azure AD/Office 365 account. If that happens, you have a custom rule in place and you should edit it accordingly to exclude those users.

@Deleted 

The purpose of  setting "cloudFiltered" to "true", is to disable sync of a particular Object.

This rule that you have customized is creating issues. 
On-prem disable account will never get deleted from Azure AD, whereas for disabled accounts on prem, "Block Sign in is set to true"

clipboard_image_0.png

https://www.youtube.com/watch?v=cAWgF5QSWcs&list=PL8wOlV8Hv3o8yJgQ-zd6MQs__0jAYDqZ1

AzureActiveDirectory #AADConnect AAD connect AAD connect Sync rules - https://www.youtube.com/watch?v=27qSd9z7V3c&list=PL8wOlV8Hv3o-HNz5KrhVJOoT2VpuSp94D AAD Connect Architecture - https://www.youtube.com/watch?v=t1yHJ8DVO4Y AAD B2B collaboration - ...

Guys thanks for your help. I spoke to a colleague and unbeknownst to me with the disabling the OU was also changed. Can this be configured so that an OU change does not trigger a DELETION or ADD?

 

Thanks.

It probably means that that OU isn't sync'ed to Azure AD so you should add that in the custom filtering: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filteri...
Btw, the deletion of account starts deleting OneDrive after retention period is over, which you can also extend up to 10 years.
1 best response

Accepted Solutions
best response
Solution

@Deleted 

 

The regular AD Connect flow is as follows:

- Disable account in AD

- Account gets disabled in AAD, like below:

clipboard_image_0.png

If it's disabled, the Onedrive will still exist

 

Only if you delete the account, will the account be deleted in AzureAD.

 

If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.

 

View solution in original post